Allow for configuring DN format (#57)

* Add config options for customizing group and nate attribute prefixes and name of ssh-key output * Rename nameattr and groupattr to respectively nameformat and groupformat * Messed up setting up default values on merge for ldap and ldaps section * Fix good-results after 'via LDAP' suffix was removed from gecos and description * Added uid for good-results aswell * Revert "Added uid for good-results aswell" This reverts commit 21b86d2. * Adjust tests * order of cn and uid should be same for both posixaccount and posixgroup to pass tests
glauth · Mar 22, 2019 · c69168c · c69168c
1 parent 2243d3d
commit c69168c
Show file tree

Hide file tree

Showing 11 changed files with 73 additions and 47 deletions.
diff --git a/.gitignore b/.gitignore
@@ -16,3 +16,5 @@ bindata.go
 
 # Ignoring travis CLI tool logs
 *travis.log
+
+certs/
diff --git a/configbackend.go b/configbackend.go
@@ -43,14 +43,15 @@ func (h configHandler) Bind(bindDN, bindSimplePw string, conn net.Conn) (resultC
 	groupName := ""
 	userName := ""
 	if len(parts) == 1 {
-		userName = strings.TrimPrefix(parts[0], "cn=")
+		userName = strings.TrimPrefix(parts[0], h.cfg.Backend.NameFormat+"=")
 	} else if len(parts) == 2 {
-		userName = strings.TrimPrefix(parts[0], "cn=")
-		groupName = strings.TrimPrefix(parts[1], "ou=")
+		userName = strings.TrimPrefix(parts[0], h.cfg.Backend.NameFormat+"=")
+		groupName = strings.TrimPrefix(parts[1], h.cfg.Backend.GroupFormat+"=")
 	} else {
 		log.Warning(fmt.Sprintf("Bind Error: BindDN %s should have only one or two parts (has %d)", bindDN, len(parts)))
 		return ldap.LDAPResultInvalidCredentials, nil
 	}
+
 	// find the user
 	user := configUser{}
 	found := false
@@ -188,12 +189,13 @@ func (h configHandler) Search(bindDN string, searchReq ldap.SearchRequest, conn
 		for _, g := range h.cfg.Groups {
 			attrs := []*ldap.EntryAttribute{}
 			attrs = append(attrs, &ldap.EntryAttribute{"cn", []string{g.Name}})
-			attrs = append(attrs, &ldap.EntryAttribute{"description", []string{fmt.Sprintf("%s via LDAP", g.Name)}})
+			attrs = append(attrs, &ldap.EntryAttribute{"uid", []string{g.Name}})
+			attrs = append(attrs, &ldap.EntryAttribute{"description", []string{fmt.Sprintf("%s", g.Name)}})
 			attrs = append(attrs, &ldap.EntryAttribute{"gidNumber", []string{fmt.Sprintf("%d", g.UnixID)}})
 			attrs = append(attrs, &ldap.EntryAttribute{"objectClass", []string{"posixGroup"}})
 			attrs = append(attrs, &ldap.EntryAttribute{"uniqueMember", h.getGroupMembers(g.UnixID)})
 			attrs = append(attrs, &ldap.EntryAttribute{"memberUid", h.getGroupMemberIDs(g.UnixID)})
-			dn := fmt.Sprintf("cn=%s,ou=groups,%s", g.Name, h.cfg.Backend.BaseDN)
+			dn := fmt.Sprintf("cn=%s,%s=groups,%s", g.Name, h.cfg.Backend.GroupFormat, h.cfg.Backend.BaseDN)
 			entries = append(entries, &ldap.Entry{dn, attrs})
 		}
 	case "posixaccount", "":
@@ -237,14 +239,14 @@ func (h configHandler) Search(bindDN string, searchReq ldap.SearchRequest, conn
 				attrs = append(attrs, &ldap.EntryAttribute{"homeDirectory", []string{"/home/" + u.Name}})
 			}
 
-			attrs = append(attrs, &ldap.EntryAttribute{"description", []string{fmt.Sprintf("%s via LDAP", u.Name)}})
-			attrs = append(attrs, &ldap.EntryAttribute{"gecos", []string{fmt.Sprintf("%s via LDAP", u.Name)}})
+			attrs = append(attrs, &ldap.EntryAttribute{"description", []string{fmt.Sprintf("%s", u.Name)}})
+			attrs = append(attrs, &ldap.EntryAttribute{"gecos", []string{fmt.Sprintf("%s", u.Name)}})
 			attrs = append(attrs, &ldap.EntryAttribute{"gidNumber", []string{fmt.Sprintf("%d", u.PrimaryGroup)}})
 			attrs = append(attrs, &ldap.EntryAttribute{"memberOf", h.getGroupDNs(append(u.OtherGroups, u.PrimaryGroup))})
 			if len(u.SSHKeys) > 0 {
-				attrs = append(attrs, &ldap.EntryAttribute{"sshPublicKey", u.SSHKeys})
+				attrs = append(attrs, &ldap.EntryAttribute{h.cfg.Backend.SSHKeyAttr, u.SSHKeys})
 			}
-			dn := fmt.Sprintf("cn=%s,ou=%s,%s", u.Name, h.getGroupName(u.PrimaryGroup), h.cfg.Backend.BaseDN)
+			dn := fmt.Sprintf("%s=%s,%s=%s,%s", h.cfg.Backend.NameFormat, u.Name, h.cfg.Backend.GroupFormat, h.getGroupName(u.PrimaryGroup), h.cfg.Backend.BaseDN)
 			entries = append(entries, &ldap.Entry{dn, attrs})
 		}
 	}
@@ -264,12 +266,12 @@ func (h configHandler) getGroupMembers(gid int) []string {
 	members := make(map[string]bool)
 	for _, u := range h.cfg.Users {
 		if u.PrimaryGroup == gid {
-			dn := fmt.Sprintf("cn=%s,ou=%s,%s", u.Name, h.getGroupName(u.PrimaryGroup), h.cfg.Backend.BaseDN)
+			dn := fmt.Sprintf("%s=%s,%s=%s,%s", h.cfg.Backend.NameFormat, u.Name, h.cfg.Backend.GroupFormat, h.getGroupName(u.PrimaryGroup), h.cfg.Backend.BaseDN)
 			members[dn] = true
 		} else {
 			for _, othergid := range u.OtherGroups {
 				if othergid == gid {
-					dn := fmt.Sprintf("cn=%s,ou=%s,%s", u.Name, h.getGroupName(u.PrimaryGroup), h.cfg.Backend.BaseDN)
+					dn := fmt.Sprintf("%s=%s,%s=%s,%s", h.cfg.Backend.NameFormat, u.Name, h.cfg.Backend.GroupFormat, h.getGroupName(u.PrimaryGroup), h.cfg.Backend.BaseDN)
 					members[dn] = true
 				}
 			}
@@ -347,7 +349,7 @@ func (h configHandler) getGroupDNs(gids []int) []string {
 	for _, gid := range gids {
 		for _, g := range h.cfg.Groups {
 			if g.UnixID == gid {
-				dn := fmt.Sprintf("cn=%s,ou=groups,%s", g.Name, h.cfg.Backend.BaseDN)
+				dn := fmt.Sprintf("cn=%s,%s=groups,%s", g.Name, h.cfg.Backend.GroupFormat, h.cfg.Backend.BaseDN)
 				groups[dn] = true
 			}
 

diff --git a/glauth.go b/glauth.go
@@ -65,10 +65,13 @@ type Backend interface {
 
 // config file
 type configBackend struct {
-	BaseDN    string
-	Datastore string
-	Insecure  bool     // For LDAP backend only
-	Servers   []string // For LDAP backend only
+	BaseDN      string
+	Datastore   string
+	Insecure    bool     // For LDAP backend only
+	Servers     []string // For LDAP backend only
+	NameFormat  string
+	GroupFormat string
+	SSHKeyAttr  string
 }
 type configFrontend struct {
 	AllowedBaseDNs []string // For LDAP backend only
@@ -309,6 +312,9 @@ func parseConfigFile(configFileLocation string) (*config, error) {
 	// setup defaults
 	cfg.LDAP.Enabled = false
 	cfg.LDAPS.Enabled = true
+	cfg.Backend.NameFormat = "cn"
+	cfg.Backend.GroupFormat = "ou"
+	cfg.Backend.SSHKeyAttr = "sshPublicKey"
 
 	// parse the config file
 	if strings.HasPrefix(configFileLocation, "s3://") {

diff --git a/sample-simple.cfg b/sample-simple.cfg
@@ -42,6 +42,15 @@ debug = true
 [backend]
   datastore = "config"
   baseDN = "dc=glauth,dc=com"
+
+  ## Configure dn format to use structures like 
+  ## "uid=serviceuser,cn=svcaccts,$BASEDN" instead of "cn=serviceuser,ou=svcaccts,$BASEDN"
+  ## to help ease migrations from other LDAP systems
+  # nameformat = "uid"
+  # groupformat = "cn"
+
+  ## Configure ssh-key attribute name, default is 'sshPublicKey'
+  # sshkeyattr = "ipaSshPubKey"
 
 #################
 # The users section contains a hardcoded list of valid users.

diff --git a/scripts/travis/good-results/posixAccountList0 b/scripts/travis/good-results/posixAccountList0
@@ -7,8 +7,8 @@ accountStatus: active
 objectClass: posixAccount
 loginShell: /bin/bash
 homeDirectory: /home/hackers
-description: hackers via LDAP
-gecos: hackers via LDAP
+description: hackers
+gecos: hackers
 gidNumber: 5501
 memberOf: cn=allaccs,ou=groups,dc=glauth,dc=com
 memberOf: cn=superheros,ou=groups,dc=glauth,dc=com
@@ -26,8 +26,8 @@ mail: jdoe@example.com
 objectClass: posixAccount
 loginShell: /bin/sh
 homeDirectory: /root
-description: johndoe via LDAP
-gecos: johndoe via LDAP
+description: johndoe
+gecos: johndoe
 gidNumber: 5501
 memberOf: cn=allaccs,ou=groups,dc=glauth,dc=com
 memberOf: cn=superheros,ou=groups,dc=glauth,dc=com
@@ -51,8 +51,8 @@ mail: jdoe2@example.com
 objectClass: posixAccount
 loginShell: /bin/sh
 homeDirectory: /home/jamesdoe
-description: jamesdoe via LDAP
-gecos: jamesdoe via LDAP
+description: jamesdoe
+gecos: jamesdoe
 gidNumber: 5501
 memberOf: cn=allaccs,ou=groups,dc=glauth,dc=com
 memberOf: cn=fulltime,ou=groups,dc=glauth,dc=com
@@ -78,8 +78,8 @@ mail: adoe@example.com
 objectClass: posixAccount
 loginShell: /bin/sh
 homeDirectory: /home/alexdoe
-description: alexdoe via LDAP
-gecos: alexdoe via LDAP
+description: alexdoe
+gecos: alexdoe
 gidNumber: 5501
 memberOf: cn=allaccs,ou=groups,dc=glauth,dc=com
 memberOf: cn=fulltime,ou=groups,dc=glauth,dc=com
@@ -99,8 +99,8 @@ mail: jdoe3@example.com
 objectClass: posixAccount
 loginShell: /bin/sh
 homeDirectory: /home/jackdoe
-description: jackdoe via LDAP
-gecos: jackdoe via LDAP
+description: jackdoe
+gecos: jackdoe
 gidNumber: 5501
 memberOf: cn=allaccs,ou=groups,dc=glauth,dc=com
 memberOf: cn=fulltime,ou=groups,dc=glauth,dc=com
@@ -120,8 +120,8 @@ mail: sdoe@example.com
 objectClass: posixAccount
 loginShell: /bin/sh
 homeDirectory: /home/sarahdoe
-description: sarahdoe via LDAP
-gecos: sarahdoe via LDAP
+description: sarahdoe
+gecos: sarahdoe
 gidNumber: 5501
 memberOf: cn=allaccs,ou=groups,dc=glauth,dc=com
 memberOf: cn=fulltime,ou=groups,dc=glauth,dc=com
@@ -138,8 +138,8 @@ accountStatus: active
 objectClass: posixAccount
 loginShell: /bin/bash
 homeDirectory: /home/serviceuser
-description: serviceuser via LDAP
-gecos: serviceuser via LDAP
+description: serviceuser
+gecos: serviceuser
 gidNumber: 5502
 memberOf: cn=allaccs,ou=groups,dc=glauth,dc=com
 memberOf: cn=svcaccts,ou=groups,dc=glauth,dc=com

diff --git a/scripts/travis/good-results/posixGroupList0 b/scripts/travis/good-results/posixGroupList0
@@ -1,6 +1,7 @@
 dn: cn=superheros,ou=groups,dc=glauth,dc=com
 cn: superheros
-description: superheros via LDAP
+uid: superheros
+description: superheros
 gidNumber: 5501
 objectClass: posixGroup
 uniqueMember: cn=alexdoe,ou=superheros,dc=glauth,dc=com
@@ -18,15 +19,17 @@ memberUid: sarahdoe
 
 dn: cn=svcaccts,ou=groups,dc=glauth,dc=com
 cn: svcaccts
-description: svcaccts via LDAP
+uid: svcaccts
+description: svcaccts
 gidNumber: 5502
 objectClass: posixGroup
 uniqueMember: cn=serviceuser,ou=svcaccts,dc=glauth,dc=com
 memberUid: serviceuser
 
 dn: cn=vpnaccess,ou=groups,dc=glauth,dc=com
 cn: vpnaccess
-description: vpnaccess via LDAP
+uid: vpnaccess
+description: vpnaccess
 gidNumber: 5503
 objectClass: posixGroup
 uniqueMember: cn=alexdoe,ou=superheros,dc=glauth,dc=com
@@ -44,7 +47,8 @@ memberUid: sarahdoe
 
 dn: cn=allaccs,ou=groups,dc=glauth,dc=com
 cn: allaccs
-description: allaccs via LDAP
+uid: allaccs
+description: allaccs
 gidNumber: 5504
 objectClass: posixGroup
 uniqueMember: cn=alexdoe,ou=superheros,dc=glauth,dc=com
@@ -64,7 +68,8 @@ memberUid: serviceuser
 
 dn: cn=mailadmin,ou=groups,dc=glauth,dc=com
 cn: mailadmin
-description: mailadmin via LDAP
+uid: mailadmin
+description: mailadmin
 gidNumber: 5505
 objectClass: posixGroup
 uniqueMember: cn=alexdoe,ou=superheros,dc=glauth,dc=com
@@ -78,13 +83,15 @@ memberUid: sarahdoe
 
 dn: cn=webmail,ou=groups,dc=glauth,dc=com
 cn: webmail
-description: webmail via LDAP
+uid: webmail
+description: webmail
 gidNumber: 5506
 objectClass: posixGroup
 
 dn: cn=fulltime,ou=groups,dc=glauth,dc=com
 cn: fulltime
-description: fulltime via LDAP
+uid: fulltime
+description: fulltime
 gidNumber: 5507
 objectClass: posixGroup
 uniqueMember: cn=alexdoe,ou=superheros,dc=glauth,dc=com

diff --git a/scripts/travis/good-results/userFetchTest0 b/scripts/travis/good-results/userFetchTest0
@@ -7,8 +7,8 @@ accountStatus: active
 objectClass: posixAccount
 loginShell: /bin/bash
 homeDirectory: /home/hackers
-description: hackers via LDAP
-gecos: hackers via LDAP
+description: hackers
+gecos: hackers
 gidNumber: 5501
 memberOf: cn=allaccs,ou=groups,dc=glauth,dc=com
 memberOf: cn=superheros,ou=groups,dc=glauth,dc=com

diff --git a/scripts/travis/good-results/userFetchTest1 b/scripts/travis/good-results/userFetchTest1
@@ -10,8 +10,8 @@ mail: jdoe@example.com
 objectClass: posixAccount
 loginShell: /bin/sh
 homeDirectory: /root
-description: johndoe via LDAP
-gecos: johndoe via LDAP
+description: johndoe
+gecos: johndoe
 gidNumber: 5501
 memberOf: cn=allaccs,ou=groups,dc=glauth,dc=com
 memberOf: cn=superheros,ou=groups,dc=glauth,dc=com

diff --git a/scripts/travis/good-results/userFetchTest2 b/scripts/travis/good-results/userFetchTest2
@@ -7,8 +7,8 @@ accountStatus: active
 objectClass: posixAccount
 loginShell: /bin/bash
 homeDirectory: /home/serviceuser
-description: serviceuser via LDAP
-gecos: serviceuser via LDAP
+description: serviceuser
+gecos: serviceuser
 gidNumber: 5502
 memberOf: cn=allaccs,ou=groups,dc=glauth,dc=com
 memberOf: cn=svcaccts,ou=groups,dc=glauth,dc=com

diff --git a/scripts/travis/good-results/userFetchTest3 b/scripts/travis/good-results/userFetchTest3
@@ -10,8 +10,8 @@ mail: jdoe2@example.com
 objectClass: posixAccount
 loginShell: /bin/sh
 homeDirectory: /home/jamesdoe
-description: jamesdoe via LDAP
-gecos: jamesdoe via LDAP
+description: jamesdoe
+gecos: jamesdoe
 gidNumber: 5501
 memberOf: cn=allaccs,ou=groups,dc=glauth,dc=com
 memberOf: cn=fulltime,ou=groups,dc=glauth,dc=com

diff --git a/scripts/travis/good-results/userFetchTest4 b/scripts/travis/good-results/userFetchTest4
@@ -10,8 +10,8 @@ mail: adoe@example.com
 objectClass: posixAccount
 loginShell: /bin/sh
 homeDirectory: /home/alexdoe
-description: alexdoe via LDAP
-gecos: alexdoe via LDAP
+description: alexdoe
+gecos: alexdoe
 gidNumber: 5501
 memberOf: cn=allaccs,ou=groups,dc=glauth,dc=com
 memberOf: cn=fulltime,ou=groups,dc=glauth,dc=com